diff options
-rw-r--r-- | keystone-moon/keystone/contrib/moon/controllers.py | 4 | ||||
-rw-r--r-- | moonclient/moonclient/rules.py | 221 | ||||
-rw-r--r-- | moonclient/moonclient/tests/tests_rules.json | 373 |
3 files changed, 554 insertions, 44 deletions
diff --git a/keystone-moon/keystone/contrib/moon/controllers.py b/keystone-moon/keystone/contrib/moon/controllers.py index 4bc619a3..c938278c 100644 --- a/keystone-moon/keystone/contrib/moon/controllers.py +++ b/keystone-moon/keystone/contrib/moon/controllers.py @@ -704,11 +704,11 @@ class IntraExtensions(controller.V3Controller): user_id = self._get_user_id_from_token(context.get('token_id')) intra_extension_id = kw.get('intra_extension_id', None) sub_meta_rule_id = kw.get('sub_meta_rule_id', None) - rule_list = list() subject_category_list = kw.get('subject_categories', []) object_category_list = kw.get('object_categories', []) action_category_list = kw.get('action_categories', []) - rule_list = subject_category_list + action_category_list + object_category_list + enabled_bool = kw.get('enabled', True) + rule_list = subject_category_list + action_category_list + object_category_list + [enabled_bool, ] return self.admin_api.add_rule_dict(user_id, intra_extension_id, sub_meta_rule_id, rule_list) @controller.protected() diff --git a/moonclient/moonclient/rules.py b/moonclient/moonclient/rules.py index b1f7e422..6b4be6f8 100644 --- a/moonclient/moonclient/rules.py +++ b/moonclient/moonclient/rules.py @@ -10,7 +10,7 @@ from cliff.command import Command from cliff.show import ShowOne -class RulesList(ShowOne): +class RulesList(Lister): """List all aggregation algorithms.""" log = logging.getLogger(__name__) @@ -18,28 +18,108 @@ class RulesList(ShowOne): def get_parser(self, prog_name): parser = super(RulesList, self).get_parser(prog_name) parser.add_argument( + 'submetarule_id', + metavar='<submetarule-uuid>', + help='Sub Meta Rule UUID', + ) + parser.add_argument( '--intraextension', metavar='<intraextension-uuid>', help='IntraExtension UUID', ) return parser + def __get_subject_category_name(self, intraextension, category_id): + data = self.app.get_url("/v3/OS-MOON/intra_extensions/{}/subject_categories".format(intraextension), + authtoken=True) + if category_id in data: + return data[category_id]["name"] + + def __get_object_category_name(self, intraextension, category_id): + data = self.app.get_url("/v3/OS-MOON/intra_extensions/{}/object_categories".format(intraextension), + authtoken=True) + if category_id in data: + return data[category_id]["name"] + + def __get_action_category_name(self, intraextension, category_id): + data = self.app.get_url("/v3/OS-MOON/intra_extensions/{}/action_categories".format(intraextension), + authtoken=True) + if category_id in data: + return data[category_id]["name"] + + def __get_subject_scope_name(self, intraextension, category_id, scope_id): + data = self.app.get_url("/v3/OS-MOON/intra_extensions/{}/subject_scopes/{}".format(intraextension, category_id), + authtoken=True) + if scope_id in data: + return data[scope_id]["name"] + return scope_id + + def __get_object_scope_name(self, intraextension, category_id, scope_id): + data = self.app.get_url("/v3/OS-MOON/intra_extensions/{}/object_scopes/{}".format(intraextension, category_id), + authtoken=True) + if scope_id in data: + return data[scope_id]["name"] + return scope_id + + def __get_action_scope_name(self, intraextension, category_id, scope_id): + data = self.app.get_url("/v3/OS-MOON/intra_extensions/{}/action_scopes/{}".format(intraextension, category_id), + authtoken=True) + if scope_id in data: + return data[scope_id]["name"] + return scope_id + + def __get_headers(self, intraextension, submetarule_id): + headers = list() + headers.append("") + headers.append("id") + self.sub_meta_rules = self.app.get_url("/v3/OS-MOON/intra_extensions/{}/sub_meta_rules".format(intraextension), + authtoken=True) + for cat in self.sub_meta_rules[submetarule_id]["subject_categories"]: + headers.append("s:" + self.__get_subject_category_name(intraextension, cat)) + for cat in self.sub_meta_rules[submetarule_id]["action_categories"]: + headers.append("a:" + self.__get_action_category_name(intraextension, cat)) + for cat in self.sub_meta_rules[submetarule_id]["object_categories"]: + headers.append("o:" + self.__get_object_category_name(intraextension, cat)) + headers.append("enabled") + return headers + + def __get_data(self, intraextension, submetarule_id, data_dict): + rules = list() + cpt = 0 + for key in data_dict: + sub_rule = list() + sub_rule.append(cpt) + cpt += 1 + sub_rule.append(key) + rule_item = list(data_dict[key]) + for cat in self.sub_meta_rules[submetarule_id]["subject_categories"]: + sub_rule.append(self.__get_subject_scope_name(intraextension, cat, rule_item.pop(0))) + for cat in self.sub_meta_rules[submetarule_id]["action_categories"]: + sub_rule.append(self.__get_action_scope_name(intraextension, cat, rule_item.pop(0))) + for cat in self.sub_meta_rules[submetarule_id]["object_categories"]: + sub_rule.append(self.__get_object_scope_name(intraextension, cat, rule_item.pop(0))) + sub_rule.append(rule_item.pop(0)) + rules.append(sub_rule) + return rules + def take_action(self, parsed_args): if not parsed_args.intraextension: parsed_args.intraextension = self.app.intraextension - data = self.app.get_url("/v3/OS-MOON/intra_extensions/{}/sub_rules".format( - parsed_args.intraextension), + data = self.app.get_url("/v3/OS-MOON/intra_extensions/{}/rule/{}".format( + parsed_args.intraextension, + parsed_args.submetarule_id, + ), authtoken=True) - if "sub_rules" not in data: - raise Exception("Error in command {}: {}".format("RulesList", data)) - # TODO (dthom): a better view with a Lister + self.log.debug(data) + headers = self.__get_headers(parsed_args.intraextension, parsed_args.submetarule_id) + data_list = self.__get_data(parsed_args.intraextension, parsed_args.submetarule_id, data) return ( - ("sub_rules",), - (data["sub_rules"],) + headers, + data_list ) -class RuleAdd(ShowOne): +class RuleAdd(Command): """List the current aggregation algorithm.""" log = logging.getLogger(__name__) @@ -47,14 +127,19 @@ class RuleAdd(ShowOne): def get_parser(self, prog_name): parser = super(RuleAdd, self).get_parser(prog_name) parser.add_argument( - 'relation', - metavar='<relation-uuid>', - help='Relation UUID', + 'submetarule_id', + metavar='<submetarule-uuid>', + help='Sub Meta Rule UUID', ) + # parser.add_argument( + # 'relation', + # metavar='<relation-uuid>', + # help='Relation UUID', + # ) parser.add_argument( 'rule', metavar='<argument-list>', - help='Rule list (example: admin,vm_admin,servers)', + help='Rule list (example: admin,start,servers) with that ordering: subject, action, object', ) parser.add_argument( '--intraextension', @@ -63,27 +148,86 @@ class RuleAdd(ShowOne): ) return parser + # def __get_subject_category_name(self, intraextension, category_id): + # data = self.app.get_url("/v3/OS-MOON/intra_extensions/{}/subject_categories".format(intraextension), + # authtoken=True) + # if category_id in data: + # return data[category_id]["name"] + # + # def __get_object_category_name(self, intraextension, category_id): + # data = self.app.get_url("/v3/OS-MOON/intra_extensions/{}/object_categories".format(intraextension), + # authtoken=True) + # if category_id in data: + # return data[category_id]["name"] + # + # def __get_action_category_name(self, intraextension, category_id): + # data = self.app.get_url("/v3/OS-MOON/intra_extensions/{}/action_categories".format(intraextension), + # authtoken=True) + # if category_id in data: + # return data[category_id]["name"] + + def __get_subject_scope_id(self, intraextension, category_id, scope_name): + data = self.app.get_url("/v3/OS-MOON/intra_extensions/{}/subject_scopes/{}".format(intraextension, category_id), + authtoken=True) + self.log.debug("__get_subject_scope_id {}".format(data)) + for scope_id in data: + if data[scope_id]["name"] == scope_name: + return scope_id + return scope_name + + def __get_object_scope_id(self, intraextension, category_id, scope_name): + data = self.app.get_url("/v3/OS-MOON/intra_extensions/{}/object_scopes/{}".format(intraextension, category_id), + authtoken=True) + self.log.debug("__get_action_scope_id {}".format(data)) + for scope_id in data: + if data[scope_id]["name"] == scope_name: + return scope_id + return scope_name + + def __get_action_scope_id(self, intraextension, category_id, scope_name): + data = self.app.get_url("/v3/OS-MOON/intra_extensions/{}/action_scopes/{}".format(intraextension, category_id), + authtoken=True) + self.log.debug("__get_object_scope_id {}".format(data)) + for scope_id in data: + if data[scope_id]["name"] == scope_name: + return scope_id + return scope_name + def take_action(self, parsed_args): if not parsed_args.intraextension: parsed_args.intraextension = self.app.intraextension - rule = parsed_args.rule.split(",") + self.sub_meta_rules = self.app.get_url("/v3/OS-MOON/intra_extensions/{}/sub_meta_rules".format( + parsed_args.intraextension), + authtoken=True) + new_rule = map(lambda x: x.strip(), parsed_args.rule.split(",")) post = { - "rule": rule, - "relation": parsed_args.relation + "subject_categories": [], + "object_categories": [], + "action_categories": [], + "enabled": True } - data = self.app.get_url("/v3/OS-MOON/intra_extensions/{intraextension}/sub_rules".format( - intraextension=parsed_args.intraextension), + for cat in self.sub_meta_rules[parsed_args.submetarule_id]["subject_categories"]: + self.log.debug("annalysing s {}".format(cat)) + post["subject_categories"].append(self.__get_subject_scope_id( + parsed_args.intraextension, cat, new_rule.pop(0)) + ) + for cat in self.sub_meta_rules[parsed_args.submetarule_id]["action_categories"]: + self.log.debug("annalysing a {}".format(cat)) + post["action_categories"].append(self.__get_action_scope_id( + parsed_args.intraextension, cat, new_rule.pop(0)) + ) + for cat in self.sub_meta_rules[parsed_args.submetarule_id]["object_categories"]: + self.log.debug("annalysing o {}".format(cat)) + post["object_categories"].append(self.__get_object_scope_id( + parsed_args.intraextension, cat, new_rule.pop(0)) + ) + data = self.app.get_url("/v3/OS-MOON/intra_extensions/{}/rule/{}".format( + parsed_args.intraextension, parsed_args.submetarule_id), post_data=post, authtoken=True) - if "sub_rules" not in data: - raise Exception("Error in command {}: {}".format("RuleAdd", data)) - return ( - ("sub_rules",), - (data["sub_rules"],) - ) -class RuleDelete(ShowOne): +class RuleDelete(Command): """Set the current aggregation algorithm.""" log = logging.getLogger(__name__) @@ -91,14 +235,14 @@ class RuleDelete(ShowOne): def get_parser(self, prog_name): parser = super(RuleDelete, self).get_parser(prog_name) parser.add_argument( - 'relation', - metavar='<relation-uuid>', - help='Relation UUID', + 'submetarule_id', + metavar='<submetarule-uuid>', + help='Sub Meta Rule UUID', ) parser.add_argument( - 'rule', - metavar='<argument-list>', - help='Rule list (example: admin,vm_admin,servers)', + 'rule_id', + metavar='<rule-uuid>', + help='Rule UUID', ) parser.add_argument( '--intraextension', @@ -110,18 +254,11 @@ class RuleDelete(ShowOne): def take_action(self, parsed_args): if not parsed_args.intraextension: parsed_args.intraextension = self.app.intraextension - rule = "+".join(parsed_args.rule.split(",")) - data = self.app.get_url( - "/v3/OS-MOON/intra_extensions/{intra_extensions_id}/sub_rules/{relation_name}/{rule}".format( + self.app.get_url( + "/v3/OS-MOON/intra_extensions/{intra_extensions_id}/rule/{submetarule_id}/{rule_id}".format( intra_extensions_id=parsed_args.intraextension, - relation_name=parsed_args.relation, - rule=rule, + submetarule_id=parsed_args.submetarule_id, + rule_id=parsed_args.rule_id ), method="DELETE", authtoken=True) - if "sub_rules" not in data: - raise Exception("Error in command {}: {}".format("RuleDelete", data)) - return ( - ("sub_rules",), - (data["sub_rules"],) - ) diff --git a/moonclient/moonclient/tests/tests_rules.json b/moonclient/moonclient/tests/tests_rules.json new file mode 100644 index 00000000..cfbedecb --- /dev/null +++ b/moonclient/moonclient/tests/tests_rules.json @@ -0,0 +1,373 @@ +{ + "command_options": "-f value", + "tests_group": { + "authz": [ + { + "name": "list tenant", + "command": "tenant list", + "result": "(?!alt_demo)", + "description": "Check if tenant alt_demo is used." + }, + { + "name": "add tenant alt_demo", + "command": "tenant add alt_demo", + "result": "^$", + "description": "Add a new tenant", + "command_options": "" + }, + { + "name": "check tenant alt_demo", + "command": "tenant list", + "result": "(?P<uuid>\\w+)\\s+alt_demo", + "description": "Check that tenant alt_demo has been correctly added" + }, + { + "name": "create_intraextension_authz", + "command": "intraextension create --policy_model policy_authz authz_test", + "result": "IntraExtension created: (?P<uuid_authz>\\w+)", + "description": "Create an authz intra extension", + "command_options": "" + }, + { + "name": "list_intraextension_authz", + "command": "intraextension list", + "result": "$uuid_authz", + "description": "Check the existence of that authz intra extension" + }, + { + "name": "set_tenant_authz", + "command": "tenant set --authz $uuid_authz $uuid", + "result": "", + "description": "Connect the authz intra extension to the tenant alt_demo", + "command_options": "" + }, + { + "name": "select_authz_ie", + "command": "intraextension select $uuid_authz", + "result": "Select $uuid_authz IntraExtension.", + "description": "Select the authz IntraExtension", + "command_options": "" + }, + { + "name": "check_select_authz_ie", + "command": "intraextension show selected", + "result": "$uuid_authz", + "description": "Check the selected authz IntraExtension", + "command_options": "-c id -f value" + }, + + { + "name": "check_submetarules", + "command": "submetarule show", + "result": "(?P<submetarule_uuid>\\w+)\\s+subject_security_level", + "description": "Get one submetarule ID", + "command_options": "-c id -c \"subject categories\" -f value" + }, + { + "name": "list_subject_categories", + "command": "subject category list", + "result": "(?P<category_slevel_uuid>\\w+)\\s+subject_security_level", + "description": "Get one subject category.", + "command_options": "-c id -c name -f value" + }, + { + "name": "list_action_categories", + "command": "action category list", + "result": "(?P<category_action_uuid>\\w+)\\s+resource_action", + "description": "Get one action category.", + "command_options": "-c id -c name -f value" + }, + { + "name": "list_object_categories", + "command": "object category list", + "result": "(?P<category_object_uuid>\\w+)\\s+object_security_level", + "description": "Get one object category.", + "command_options": "-c id -c name -f value" + }, + { + "name": "add_subject_scope", + "command": "subject scope add $category_slevel_uuid very_high", + "result": "^$", + "description": "Add one new scope.", + "command_options": "" + }, + { + "name": "check_added_subject_scope", + "command": "subject scope list $category_slevel_uuid", + "result": "(?P<scope_subject>\\s+very_high)", + "description": "Get the ID of the new scope.", + "command_options": "-c id -c name -f value" + }, + { + "name": "get_one_action_scope", + "command": "action scope list $category_action_uuid", + "result": "(?P<scope_action>\\s+storage_admin)", + "description": "Get the ID of one action scope.", + "command_options": "-c id -c name -f value" + }, + { + "name": "get_one_object_scope", + "command": "object scope list $category_object_uuid", + "result": "(?P<scope_object>\\s+high)", + "description": "Get the ID of one object scope.", + "command_options": "-c id -c name -f value" + }, + { + "name": "add_a_new_rule", + "command": "rule add $submetarule_uuid \"very_high,storage_admin,high\"", + "result": "^$", + "description": "Add a new rule.", + "command_options": "" + }, + { + "name": "check_added_rule", + "command": "rule list $submetarule_uuid", + "result": "(?P<rule_id>\\w+)\\s+very_high\\s+storage_admin\\s+high", + "description": "Check that the rule was correctly added.", + "command_options": "-c id -c s:subject_security_level -c a:resource_action -c o:object_security_level -f value" + }, + { + "name": "delete_added_rule", + "command": "rule delete $submetarule_uuid $rule_id", + "result": "^$", + "description": "Delete the added rule.", + "command_options": "" + }, + { + "name": "check_deleted_rule", + "command": "rule list $submetarule_uuid", + "result": "(?!very_high)", + "description": "Check that the rule was correctly deleted.", + "command_options": "-c s:subject_security_level -f value" + }, + + { + "name": "delete_authz_intra_extension", + "command": "intraextension delete $uuid_authz", + "result": "", + "description": "Delete the authz intra extension", + "command_options": "" + }, + { + "name": "list_intraextension_authz", + "command": "intraextension list", + "result": "(?!$uuid_authz)", + "description": "Check the existence of that authz intra extension" + }, + { + "name": "delete_tenant", + "command": "tenant delete $uuid", + "result": "", + "description": "Delete the tenant alt_demo", + "command_options": "" + }, + { + "name": "list tenant", + "command": "tenant list", + "result": "(?!alt_demo)", + "description": "Check if tenant alt_demo is used." + } + ], + "authz_and_admin": [ + { + "name": "list tenant", + "command": "tenant list", + "result": "(?!alt_demo)", + "description": "Check if tenant alt_demo is used." + }, + { + "name": "add tenant alt_demo", + "command": "tenant add alt_demo", + "result": "^$", + "description": "Add a new tenant", + "command_options": "" + }, + { + "name": "check tenant alt_demo", + "command": "tenant list", + "result": "(?P<uuid>\\w+)\\s+alt_demo", + "description": "Check that tenant alt_demo has been correctly added" + }, + { + "name": "create_intraextension_authz", + "command": "intraextension create --policy_model policy_authz authz_test", + "result": "IntraExtension created: (?P<uuid_authz>\\w+)", + "description": "Create an authz intra extension", + "command_options": "" + }, + { + "name": "list_intraextension_authz", + "command": "intraextension list", + "result": "$uuid_authz", + "description": "Check the existence of that authz intra extension" + }, + { + "name": "create_intraextension_admin", + "command": "intraextension create --policy_model policy_admin admin_test", + "result": "IntraExtension created: (?P<uuid_admin>\\w+)", + "description": "Create an admin intra extension", + "command_options": "" + }, + { + "name": "list_intraextension_admin", + "command": "intraextension list", + "result": "$uuid_admin", + "description": "Check the existence of that admin intra extension" + }, + { + "name": "set_tenant_authz", + "command": "tenant set --authz $uuid_authz $uuid", + "result": "", + "description": "Connect the authz intra extension to the tenant demo", + "command_options": "" + }, + { + "name": "set_tenant_admin", + "command": "tenant set --admin $uuid_admin $uuid", + "result": "", + "description": "Connect the authz intra extension to the tenant alt_demo", + "command_options": "" + }, + { + "name": "check tenant alt_demo and authz ie", + "command": "tenant list", + "result": "alt_demo $uuid_authz", + "description": "Check that authz intra extension has been correctly added to the tenant.", + "command_options": "-c name -c intra_authz_extension_id -f value" + }, + { + "name": "check tenant alt_demo and admin ie", + "command": "tenant list", + "result": "$uuid_admin", + "description": "Check that admin intra extension has been correctly added to the tenant.", + "command_options": "-c intra_admin_extension_id -f value" + }, + { + "name": "select_authz_ie", + "command": "intraextension select $uuid_authz", + "result": "Select $uuid_authz IntraExtension.", + "description": "Select the authz IntraExtension", + "command_options": "" + }, + { + "name": "check_select_authz_ie", + "command": "intraextension show selected", + "result": "$uuid_authz", + "description": "Check the selected authz IntraExtension", + "command_options": "-c id -f value" + }, + + { + "name": "check_submetarules", + "command": "submetarule show", + "result": "(?P<submetarule_uuid>\\w+)\\s+subject_security_level", + "description": "Get one submetarule ID", + "command_options": "-c id -c \"subject categories\" -f value" + }, + { + "name": "list_subject_categories", + "command": "subject category list", + "result": "(?P<category_slevel_uuid>\\w+)\\s+subject_security_level", + "description": "Get one subject category.", + "command_options": "-c id -c name -f value" + }, + { + "name": "list_action_categories", + "command": "action category list", + "result": "(?P<category_action_uuid>\\w+)\\s+resource_action", + "description": "Get one action category.", + "command_options": "-c id -c name -f value" + }, + { + "name": "list_object_categories", + "command": "object category list", + "result": "(?P<category_object_uuid>\\w+)\\s+object_security_level", + "description": "Get one object category.", + "command_options": "-c id -c name -f value" + }, + { + "name": "add_subject_scope", + "command": "subject scope add $category_slevel_uuid very_high", + "result": "^$", + "description": "Add one new scope.", + "command_options": "" + }, + { + "name": "check_added_subject_scope", + "command": "subject scope list $category_slevel_uuid", + "result": "(?P<scope_subject>\\s+very_high)", + "description": "Get the ID of the new scope.", + "command_options": "-c id -c name -f value" + }, + { + "name": "get_one_action_scope", + "command": "action scope list $category_action_uuid", + "result": "(?P<scope_action>\\s+storage_admin)", + "description": "Get the ID of one action scope.", + "command_options": "-c id -c name -f value" + }, + { + "name": "get_one_object_scope", + "command": "object scope list $category_object_uuid", + "result": "(?P<scope_object>\\s+high)", + "description": "Get the ID of one object scope.", + "command_options": "-c id -c name -f value" + }, + { + "name": "add_a_new_rule", + "command": "rule add $submetarule_uuid \"very_high,storage_admin,high\"", + "result": "^$", + "description": "Add a new rule.", + "command_options": "" + }, + { + "name": "check_added_rule", + "command": "rule list $submetarule_uuid", + "result": "(?P<rule_id>\\w+)\\s+very_high\\s+storage_admin\\s+high", + "description": "Check that the rule was correctly added.", + "command_options": "-c id -c s:subject_security_level -c a:resource_action -c o:object_security_level -f value" + }, + { + "name": "delete_added_rule", + "command": "rule delete $submetarule_uuid $rule_id", + "result": "^$", + "description": "Delete the added rule.", + "command_options": "" + }, + { + "name": "check_deleted_rule", + "command": "rule list $submetarule_uuid", + "result": "(?!very_high)", + "description": "Check that the rule was correctly deleted.", + "command_options": "-c s:subject_security_level -f value" + }, + + { + "name": "delete_authz_intra_extension", + "command": "intraextension delete $uuid_authz", + "result": "", + "description": "Delete the authz intra extension", + "command_options": "" + }, + { + "name": "list_intraextension_authz", + "command": "intraextension list", + "result": "(?!$uuid_authz)", + "description": "Check the existence of that authz intra extension" + }, + { + "name": "delete_tenant", + "command": "tenant delete $uuid", + "result": "", + "description": "Delete the tenant alt_demo", + "command_options": "" + }, + { + "name": "list tenant", + "command": "tenant list", + "result": "(?!alt_demo)", + "description": "Check if tenant alt_demo is used." + } + ] + } +}
\ No newline at end of file |